July Meeting Minutes
There were several attendees who’s organizations I don’t know. Please let me know and I will amend. Thanks.
< General Meeting | Minutes
· Attendance: 22
· Lead by Phil Odence
· Minutes of June meeting Approved
- 1 SPDX Governance - Phil
- 2 Outreach Team Report - Sebastian/Jack
- 3 Legal Team Report - Jilayne/Paul/Steve
- 4 Tech Team Report - Kate/Gary/Others
- 5 Other Topics
- 6 Attendees
SPDX Governance - Phil
Status of governance changes
· Still working through a using the prepackaged JDF docs with LF lawyers
· Lots there due to general nature
· It will have to go through the specified process for discussion and voting
· More scrutiny
· Standards requirement- Companies supporting, logos
· OMG CISQ 3T joining SPDX
· ISO direction – Need more
· Executive Order
· Working with other standards, i.e. SWID and CycloneDX
* Specific concerns that came up
· Community Spec License vs. CCBY
· Patent license to address concerns that have arisen from companies we want to support
· Also, tangentially related SBOM gen tool showed up in repo
· Need criteria for including
· A question came up about discussion of governance on the Gen Mailing list
· We try to limit traffic on the list so one can use to monitor activity without being overwhelmed
· There will be a chance for discussion of a governance proposal once process goes in motion
· Contact Phil with inputs
· We’ll look into a separate list
Outreach Team Report - Sebastian/Jack
· SPDX website rework - license for content CC-BY-4.0
· Looking to rebuild website as static site.
· Code and license - more flex over precise styling and functionality.
· Prototype of site in next few weeks.
· Technical slides - present about SPDX in own organizations.
· Reviewed collateral, audience focus for collateral that will meet audience needs.
· More explanation of “why”. Point to specification when get to details.
· IRC channel
· Sebastian set up #spdx on libera.chat
· previous channels on OFTC, Freenode; hadn’t taken off
· libera.chat has 11 people in it currently
· “cloaking” - hides IP address in some cases, replaces with badge for organization you’re associated with; Sebastian can provide “SPDX cloak”
· Matrix bridge - feature of libera.chat, enables joining via Matrix
· Meeting date and time: 1500 UTC on Wednesdays will be new meeting time, on 14th of July
Legal Team Report - Jilayne/Paul/Steve
· Several new folks participating
· Ariel and Candice from ClearlyDefined have been digging into the Python stack of licenses
· License List 3.14 release - targeting end of July
Tech Team Report - Kate/Gary/Others
· GSoC - JSON support in Golang; will seek to get GSoC student to present at a future General Meeting
· New participants interacting with tools, and seeing pull requests.
· NTIA Plugfest
· new tools emerging from communities
· SPDX was most common format in use
· Can’t get down to SPDX field to field
· SPDX Plugfest?
· Desire to have Japan SPDX Plugfest
· One for north america
· Anchore has a tool supporting SPDX output if you need more 3.0 examples we can on it. (github.com/anchore/syft). We have 2.2 now but can fairly quickly iterate for some 3.0 support.
· ISO/IEC PRF 5962 - Information Technology — SPDX® Specification V2.2.1- moved to PRF status Publication date : 2021-08
· OCI registry overview and how SPDX could interact with containers.
· Specification 3.0 Work
· Looking for more 3.0 examples in serialization
· Lacking critical mass for some decisions - vacations
· Moving through punch list on core model.
· Vulnerability - waiting for core. Snyk put up a nice post.
· Feedback in progress.
· Serialization needs to become clearer.
· More examples are needed.
· Follow up VEX and CSAF
· Licensing profile - pretty similar to 2.2 already.
· Once formatting for how template can be expressed.
· Open Question - why spdx.dev vs. spdx.org; license list dynamically generated spdx.org - Drupal → Wordpress. How to keep License list still populate to website.
· Keep license list URL stable.
· Wikipedia page on SPDX is pretty stale.
· Needs to be updated. Outreach will take it.
· Phil Odence, Black Duck/Synopsys
· Philippe Emmanuel Douziech, CAST
· Bob Martin, Mitre
· Joshua Marpet, RM-ISAO
· David Edelsohn, IBM
· Sebastian Crane
· Marc Etienne Vargenau, Nokia
· Zach Hill, Anchore
· Steve Winslow, LF
· Kate Stewart, Linux Foundation
· William Cox, Synopsys
· Jack Manbeck, TI
· Alexios Zavras, Intel
· Warner Losh, FreeBSD
· Alfredo Espinosa
· Jilayne Lovejoy, Red Hat
· Chris Lusk
· Andrew Jorganson, AWS
· Thomas Steenbergen, HERE
· Brian Fox, Sonotype
· Michael Herzog- nexB
|1 - 2 of 2|